Hi Team,
I am getting system generated log in Elasticsearch Audit logs file. can you please provide me solution to avoid the system generated logs in audit log.
I did below configuration in elasticsearch.yml file
Microsoft Windows [Version 10.0.22000.2713]
(c) Microsoft Corporation. All rights reserved.
C:\Users\ashishkumar_shukla\Downloads>ssh -i "elasticsearch22_key.pem" ec2-user@ec2-43-205-211-14.ap-south-1.compute.amazonaws.com
The authenticity of host 'ec2-43-205-211-14.ap-south-1.compute.amazonaws.com (43.205.211.14)' can't be established.
ECDSA key fingerprint is SHA256:ZHRRohLx7VLL0HNpOAuQdO6Yka0LHnNnxLfCsJpmFyI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ec2-43-205-211-14.ap-south-1.compute.amazonaws.com,43.205.211.14' (ECDSA) to the list of known hosts.
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at Hybrid Cloud Console
Last login: Wed Jan 31 13:36:19 2024 from 103.92.43.94
[ec2-user@ip-172-31-39-77 ~]$ sudo su
[root@ip-172-31-39-77 ec2-user]# cat etc/elasticsearch/elasticsearch.yml
cat: etc/elasticsearch/elasticsearch.yml: No such file or directory
[root@ip-172-31-39-77 ec2-user]# cat /etc/elasticsearch/elasticsearch.yml
======================== Elasticsearch Configuration =========================
NOTE: Elasticsearch comes with reasonable defaults for most settings.
Before you set out to tweak and tune the configuration, make sure you
understand what are you trying to accomplish and the consequences.
The primary way of configuring a node is via this file. This template lists
the most important settings you may want to configure for a production cluster.
Please consult the documentation for further information on configuration options:
Elasticsearch Guide | Elastic
---------------------------------- Cluster -----------------------------------
Use a descriptive name for your cluster:
cluster.name: my-application1
------------------------------------ Node ------------------------------------
Use a descriptive name for the node:
node.name: node-1
Add custom attributes to the node:
#node.attr.rack: r1
----------------------------------- Paths ------------------------------------
Path to directory where to store the data (separate multiple locations by comma):
path.data: /var/lib/elasticsearch
Path to log files:
path.logs: /var/log/elasticsearch
----------------------------------- Memory -----------------------------------
Lock the memory on startup:
#bootstrap.memory_lock: true
Make sure that the heap size is set to about half the memory available
on the system and that the owner of the process is allowed to use this
limit.
Elasticsearch performs poorly when the system is swapping the memory.
---------------------------------- Network -----------------------------------
By default Elasticsearch is only accessible on localhost. Set a different
address here to expose this node on the network:
network.host: 172.31.39.77
By default Elasticsearch listens for HTTP traffic on the first free port it
finds starting at 9200. Set a specific HTTP port here:
http.port: 9200
For more information, consult the network module documentation.
--------------------------------- Discovery ----------------------------------
Pass an initial list of hosts to perform discovery when this node is started:
The default list of hosts is ["127.0.0.1", "[::1]"]
#discovery.seed_hosts: ["host1", "host2"]
Bootstrap the cluster using an initial set of master-eligible nodes:
#cluster.initial_master_nodes: ["node-1", "node-2"]
For more information, consult the discovery and cluster formation module documentation.
---------------------------------- Various -----------------------------------
Allow wildcard deletion of indices:
#action.destructive_requires_name: false
#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
The following settings, TLS certificates, and keys have been automatically
generated to configure Elasticsearch security features on 22-01-2024 12:06:59
--------------------------------------------------------------------------------
Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.audit.enabled : true
xpack.security.audit.logfile.events.include: ["authentication_success","authentication_failed"]
xpack.security.audit.logfile.events.emit_request_body : true
xpack.security.audit.logfile.emit_node_name : true
xpack.security.audit.logfile.emit_node_host_address : true
xpack.security.audit.logfile.emit_node_host_name: true
xpack.security.audit.logfile.emit_node_id: true
xpack.license.self_generated.type: trial
Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: false
keystore.path: certs/http.p12
Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: false
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
Create a new cluster with the current node only
Additional nodes can still join the cluster later
#cluster.initial_master_nodes: ["ip-172-31-39-77.ap-south-1.compute.internal"]
discovery.type: single-node
Allow HTTP API connections from anywhere
Connections are encrypted and require user authentication
http.host: 0.0.0.0
Allow other nodes to join the cluster from anywhere
Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0
#----------------------- END SECURITY AUTO CONFIGURATION -------------------------
[root@ip-172-31-39-77 ec2-user]#
Example of system generated audit log
{"type":"audit", "timestamp":"2024-01-31T13:01:05,961+0000", "cluster.uuid":"aqyZaw7QTgKfg0neAFQ1ig", "node.name":"node-1", "node.id":"6NN4AY_yRhqyXQ_9i4RQ-w", "host.name":"172.31.39.77", "host.ip":"172.31.39.77", "event.type":"transport", "event.action":"authentication_success", "authentication.type":"INTERNAL", "user.name":"_system", "user.realm":"__fallback", "origin.type":"local_node", "origin.address":"172.31.39.77:9300", "request.id":"Xxi5qsZ5RzmrSAsjH9sS3Q", "action":"cluster:monitor/update/health/info", "request.name":"Request"}
{"type":"audit", "timestamp":"2024-01-31T13:06:05,954+0000", "cluster.uuid":"aqyZaw7QTgKfg0neAFQ1ig", "node.name":"node-1", "node.id":"6NN4AY_yRhqyXQ_9i4RQ-w", "host.name":"172.31.39.77", "host.ip":"172.31.39.77", "event.type":"transport", "event.action":"authentication_success", "authentication.type":"INTERNAL", "user.name":"_system", "user.realm":"__fallback", "origin.type":"local_node", "origin.address":"172.31.39.77:9300", "request.id":"tux-hSILReit31XuPnWNtg", "action":"cluster:monitor/update/health/info", "request.name":"Request"}